Updated cockpit packages fix security vulnerabilities

CVE-2026-4631, Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects...

CVE-2026-39079

CVE-2026-39079 affects Prestashop Upsshipping (all versions through at least 2.4.0) and enables an attacker to access sensitive information via the /modules/upsshipping/logs/ and /modules/upsshipping/lib/UPSBaseApi.php components. The provided sources do not specify the exact root cause or exploi...

CVE-2026-45803

gh is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. The vulnerabilit...

EUVD-2026-18072

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface. If any stored XSS payload exists within logged...

CVE-2025-60936

Emoncms 11.7.3 is vulnerable to Cross Site in the input handling mechanism. This vulnerability allows authenticated attackers with API access to inject malicious JavaScript code that executes when administrators view the application logs...

EUVD-2018-7626

Malware in sbrugna...

EUVD-2016-1324

Malware in sbrugna...

EUVD-2018-1112

Malware in sbrugna...

EUVD-2024-33682

Malicious code in bioql PyPI...

EUVD-2025-25621

Malicious code in bioql PyPI...

EUVD-2024-2078

Malicious code in bioql PyPI...

EUVD-2022-2144

Malicious code in bioql PyPI...

UBUNTU-CVE-2025-58160

tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into...

Improper Output Neutralization For Logs

org.apache.struts, struts-extras is vulnerable to Improper Output Neutralization for Logs. The vulnerability is due to LookupDispatchAction printing untrusted input to logs without filtering, which allows an attacker to craft input that injects misleading log entries, potentially confusing human ...

CVE-2025-23289

NVIDIA Omniverse Launcher for Windows and Linux contains a vulnerability in the launcher logs, where a user could cause sensitive information to be written to the log files through proxy servers. A successful exploit of this vulnerability might lead to information disclosure...

Apache Struts Extras Before 2 has an Improper Output Neutralization for Logs Vulnerability

UNSUPPORTED WHEN ASSIGNED Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: before 2. When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead...

PT-2025-31399 · Apache · Apache Struts Extras

Name of the Vulnerable Software and Affected Versions: Apache Struts Extras versions prior to 2 Description: This issue involves improper output neutralization for logs in Apache Struts Extras. When using LookupDispatchAction, untrusted input may be printed to logs without filtering. This can lea...

CVE-2024-45784

Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially...

CVE-2024-55886

OpenSearch Data Prepper is a component of the OpenSearch project that accepts, filters, transforms, enriches, and routes data at scale. A vulnerability exists in the OpenTelemetry Logs source in Data Prepper starting inversion 2.1.0 and prior to version 2.10.2 where some custom authentication...

CVE-2023-0219

The FluentSMTP WordPress plugin before 2.2.3 does not sanitize or escape email content, making it vulnerable to stored cross-site scripting attacks XSS when an administrator views the email logs. This exploit requires other plugins to enable users to send emails with unfiltered HTML...